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(54) Automated transaction system with modular printhead having print authentication feature 



(57) An automated transaction system employs a 
terminal for printing a value indicia, such as a postmark, 
on an article. The terminal contains a modular printer 
unit which has a printhead and a dedicated microproc- 
essor physically permanently bonded together such that 
the printhead microprocessor cannot be physically tam- 
pered with without disabling the printhead. The nnodular 
printer unit Includes a first supply of visible ink and a 
second supply of invisible inK and an internal program 
for printing the value indicia with visible ink and an 
authentication code, which uniquely corresponds to the 
value indicia, with invisit^e ink. The invisible value indi- 
cia can be subsequently verified as authentic by 
machine reading of said invisible authentication code 
and comparing the authentication code lor correspond- 
ence to the value indicia. 
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Description 

FIELD OF INVENTION 

The invention relates to an automated transaction 
system which receives with a user card having a micro- 
processor for executing secure transactions in which an 
article or item of value is dispensed from a terminal, and 
an account balance stored in the card's memory is deb- 
ited. In particular, the invention is applied to a postage 
transaction system in which a postage account is main- 
tained within the microprocessor card and is used in 
transactions with postage printing and metering termi- 
nals. 

RACKGRQUND OF INVENTION 

Point-of-sale (PCS) terminals and automated teller 
machines (ATM) have been widely used in conjunction 
with various types of cards issued to users for sale or 
credit transactions. For example, banks regularly issue 
account cards which have a magnetically coded number 
stored on a stripe for accessing the user's account 
through ATM terminals. Credit cards which have coded 
magnetic stripes are inserted in ATM or POS terminals 
to access a central account system for authorization of 
a credit transaction. There also have been proposals to 
use cards which have large non-volatile memories, e.g. 
magnetic, integrated circuit (IC), or optical memory stor- 
age, for storing and retrieving information specific to the 
user, such as a medical history, biographical history, 
maintenance of an account balance and transaction his- 
tory, etc. 

These conventional systems generally employ a 
card which has a passive memory that is read in a card 
reader or computerized terminal maintained by a ven- 
dor. The security of the cards is problematic since most 
account cards used conventionally are passive and do 
not authenticate tiiemseives or the particular transac- 
tions for which tiiey are used. Instead, on-line access 
through a terminal to a central account system, such as 
bank or credit card account records, is required for con- 
firmation of each transaction. This requirement places 
an access time and cost burden on vendors, such as 
bank branches and retail stores, which must maintain 
the terminal facilities, as well as on tiie operator of the 
central account system, which must provide sufficient 
on-line access for all the users of the system and 
ensure tiie security of the entire system. 

By comparison, off-line transactions, i.e. between a 
user with an authorized card and a terminal not con- 
nected to a central account system, have the advantage 
that the vendor does not have to confirm each transac- 
tion. A card bearer merely inserts the card in a terminal 
to pay for a purchase and the authorized amount of the 
card is debited for the amount of the transaction. In off- 
line transactions, the vendor's responsibility can be 
reduced and tiie transaction process simplified, so ttiat 
a transaction can be completely automated through the 



use of widely distributed user cards and automated ter- 
minals. 

However, off-line transactions are more vulnerable 
to the use of counterfeit cards and to tampering with the 

5 terminals. Thus, the cards have to be made secure and 
tiie transactions limited to small amounts. As an exam- 
ple of conventional card security measures, a memory 
card can be divided into a number of separately validat- 
able sectors of limited value which are irreversibly deb- 

10 ited with each transaction, as disclosed in U.S. Patents 
4.204,113 and 4.256.955 to Giraud et al. A personal 
identification number (PIN) can be written into the card's 
memory at tiie time of issuance and requested of the 
user with each transaction. Terminals are generally 

IS made secure by maintaining them in areas to which 
access is restricted or supervised. However, these 
requirements increase the cost of operating the system 
and at the same time decrease its utility. 

The sophistication of card counterfeiting and credit 

20 fraud has increased with the widespread use of account 
and credit cards, and even greater security measures 
are currently needed to ensure tiie validity of card trans- 
actions. Conventional microprocessor cards employ 
resident programs to control access to data stored on 

25 the card, store a selected user PIN to confirm an 
auhorized user, and prevent use of the card if an unau- 
tiiorized user is detected, such as after a limited number 
of incorrect PIN entiies. Although such microprocessor 
cards provide greater security than passive cards, the 

30 overall system is still vulnerable in that, once a valid 
user's PIN has been ascertained, a stolen card can be 
used for unauthorized transactions in any terminal, and 
the^terminals themselves are subject to penetration. 
These vulnerabilities can be offset by limiting tiie 

35 authorized amount of the card, controlling access to tiie 
terminals, or requiring on-line confirmation of transac- 
tions. However, such measures again increase the cost 
of the system and decrease its utility. 

One potential area of application of automated sys- 

40 tems employing account or credit cards is in postage 
vending and metering machines. Purchases of postage 
and mailing transactions are made primarily in person 
witti cash tiirough tellers at post offices. Only limited 
types of postage stamps can be purchased from public 

45 vending machines. Most private postage metering 
machines have limited operational features and must 
have their metering devices removed periodically to a 
post office for refilling. The size and weight of tiie meter- 
ing devices make them inconvenient to carry. Some 

so metering systems can be refilled by a remote computer, 
but tiie caller must still phone the computer center and 
execute tiie operator's instructions on the postage 
meter manually. 

The elimination of cash purchases, in-person mail- 

55 ing transactions, unnecessary limitations on automated 
postal services, and physical refilling of postage meter- 
ing machines could greatly reduce the waiting lines at 
post offices and facilitate the wider dissemination of 
postage vending and metering machines for tiie oon- 
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venience of users and provide greater access to postal 
services. The use of account or credit cards for auto- 
mated postal machines has been considered. However, 
the security problems off conventional card automated 
systems would require that user cards be validated only 
for relatively smalt amounts of prepaid postage, that 
vending and metering machines provide limited postal 
products and be refilled with limited total postage 
amounts, and that access to the machines be strictly 
controlled. These restrictions are a sut>stantial obstacle 
which contribute to the difficulty of implementing an 
automated postal transaction system. 

SUMMARY OF INVENTION 

In view of the foregoing disadvantages and prob- 
lems of conventional systems, it is a primary purpose off 
the invention to provide an automated transaction sys- 
tem which has security features that will facilitate the 
widespread use of account or credit cards for off-line 
transactions and the dissemination of automated trans- 
action terminals to which access does not have to be 
strictly controlled. A principal object of the invention is to 
provide an interactive card/terminal system in which the 
card and the terminal each have a security feature 
which prevents the completion of a requested transac- 
tion unless a secure handshake recognition procedure 
is mutually executed between the card and the terminal 
such that they each recognize the other as authorized to 
execute a transaction. In particular, it is desired that the 
card and the terminal cooperate together to execute a 
simultaneous dispensing of value by the terminal and 
debiting of an authorized balance by the card. 

A specif ic object of the inventiorf ls to apply "the 
above-mentioned automated transaction system to 
postage metering machines. A further object is to pro- 
vide a new generation of card automated postal termi- 
nals which have greater flexibility in the range of postal 
products and services offered, wherein the terminals 
are individually secure and can be accessed in rela- 
tively unrestricted areas, and the cards can be refilled at 
any desired location through secure refilling terminals 
validated by the issuer. 

In accordance with the purposes and objects of the 
invention, a card automated transaction system 
employs a card having a secure, resident microproces- 
sor which operates to confirm that a requested transac- 
tion is authorized and to then initiate an interactive 
handshake recognition procedure with a resident micro- 
processor in the value dispensing section of an auto- 
mated terminal. Upon successful completion of the 
handshake procedure, tiie card microprocessor and the 
dispensing section miaoprocessor simultaneously 
actuate the dispensing of the requested article or item 
of value and the debiting of an authorized balance from 
the card. 

A particular embodiment of the invention is a 
mutual handshake recognition procedure executed as 
follows: (1) upon confirming that a requested transac- 



tion is authorized, the card passes to the terminal a 
word comprising a randomly generated or other object 
number encrypted by a first resident algorithm and a 
key number stored in the card; (2) the terminal decodes 

5 the number using a corresponding Inverse of the first 
algorithm and tiie key number; (3) the terminal sends 
back to the card a second word comprising the decoded 
random number encrypted by a second resident algo- 
rithm and the key number; (4) the card decodes the sec- 

10 ond word using a corresponding inverse of the second 
algorithm and the key number and compares the 
decoded number to the one originally sent; (5) if the 
numbers match, the card microprocessor debits its 
authorized t>alance for the Indicated amount of the 

15 transaction and sends an actuation signal to the termi- 
nal to proceed with the transaction; and (6} upon receipt 
of the actuation signal, tiie dispensing microprocessor 
actuates the dispensing section to complete the trans- 
action. The transmitted actuation signal may also be 

20 encrypted and decoded t>y the above algorithms or a 
similar method. 

Under the principles of the Invention, the above- 
described Interactive card automated transaction sys- 
tem is applied to postage metering machines. In one 

25 erhbodiment, a postage metering terminal has a slot for 
receiving a microprocessor card Issued with an author- 
ized balance, a print head with a secure microprocessor 
which interacts with the card microprocessor, a keypad, 
a display, and an operations microprocessor which 

30 accepts a keyed input of the postage amount requested, 
displays the keyed input, queries the card to authorize 
arxj initiate the postage printing transaction, and then 
resets the machine for the next transaction or executes 
a series of transactions in a repeat mode. 

35 In a related embodiment, a postage metering termi- 
nal has a first slot for receiving a user microprocessor 
card, a second slot for receiving a postal rate card, a 
print head witii a secure microprocessor, a keypad and 
other means for entering, source and destination (postal 

40 zip) codes, means for entering the weight and postal 
dass of the article to be mailed, and an operations 
microprocessor having a program for calculating the 
correct postage based upon the listings of the rate card 
and the keyed-in information. 

45 The card automated postal transaction system can 
be readily applied not only to tiie postal products and 
services of the U.S. Postal Sen^ice, but also to private 
carriers and parcel delivery companies. In a further 
embodiment a postal waybill terminal has a third slot for 

50 receiving a special services card which has stored data 
from which the terminal can print postal and delivery 
services information on standard form blanks. For 
example, tiie special services card can be used to print 
Post Office forms, such as Certified Mail or Registered 

55 Mail, or the waybills of private carrier companies. The 
terminal is also provided with a full field display of the 
waybill form, prompts the user for information by pro- 
grammed cursor movements, and has command keys 
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for inputting sender and addressee information, rate or 
sen/ice dass. waybill number, carrier information, etc. 

As subsidiary features, the microprocessor cards 
can be configured to provide different types of access to 
the terminals as desired, for example, limited numbers s 
or types of users in limited numbers or types of 
machines, unlimited users in limited machines, limited 
users in unlimited machines, or unlimited users in unlim- 
ited machines. The different types of access can be 
implemented by storing key numbers in the card for 10 
identifying authorized users, and/or machines, and/or 
key numbers in the terminal operations microprocessor 
for identifying authorized users. The user cards can also 
be configured at the time of issuance for limits to the 
amounts and types of individual transactions, and tem- is 
porary or permanent locking upon detection of an unau-. 
thorized user or card. Another system feature is the 
storing of a history of transactions executed by the card, 
and the recomputing of the remaining balance upon 
each transaction request, in order to save card memory 20 
space. A separate transaction printer may be used to 
obtain a printout of the card's transaction history. 

The postage metering terminals according to the 
invention are also provided with means for allowing a 
post office or carrier to authenticate the postage marks 2s 
or waybills that are printed. In one embodiment, the ter- 
minal printer prints within or under the postmark a 
coded number or sequence of marks corresponding to 
an element of the postmark, such as the amount of 
postage, the terminal identification number, and/or the 30 
sender's zip code. The marks may be disguised or 
made invisible by printing with a magnetically or optt- 
cany Teadat}le Ink to~ deter tampering or unauthorized 
simulation. They may tiien be machine-read by tiie post 
off Ice or-private-carrier- company to determine-whether- -35„ 
the printed postmark was printed by an authorized 
printer, and at the same time provide an audit ti'ail to the 
sender. 

In accordance with a further application of the 
invention, an integrated system of microprocessor cards 40 
and terminals provides transaction facilities which per- 
mit widespread use and convenient access to users. 
The authorized amount of the user cand may be initially 
validated or refilled from a master refilling card, which 
has a larger authorized amount, preferably in conjunc- 4S 
tlon with a supervisor card issued under strict distribu- 
tion control. A refilling terminal is provided with three 
insertion slots for the three cards, and has an opera- 
tions program to check the identity of the master refilling 
card and tiie user card to determine if they are valid for so 
use In tiie refilling terminal. Upon clearance, the secure 
handshake recognition procedure must be successfully 
executed between tiie microprocessors of tine supervi- 
sor and master cards in order to permit a debit to the 
master card of the refill amount and a credit to the user ss 
card. If the user card is a new card, a validation proce- 
dure and the selection and storing of a user PIN are 
executed. 



The card automated t^nsaction system of the 
invention has broad applicability to many other types of 
purchase or credit transactions besides postal services 
and products. For example, it can also be used for credit 
card transactions, inventory control, bills of lading, auto- 
mated cash machines, or virtually any other type of 
transaction in which a user account must be securely 
debited ttirough an automated terminal in exchange for 
an article or item of value. The invention is especially 
advantageous in off-line transactions in which distrib- 
uted terminals not under strict access controls are used. 
The above principles, advantages, and features of tine 
invention are descnlDed in further detail below In con- 
junction with the following drawings. 

BRIEF DESCRIPTION OF DRAWINGS 

Fig. 1 illustrates schematically a preferred emtxxii- 
merrt of an automated postal transaction terminal 
using a microprocessor card in accordance with the 
Invention; 

Rg. 2a shows a structure in the embodiment of Fig. 
1 for executing a secure handshake recognition 
procedure between the microprocessor card and a 
value dispensing section of the terminal, and Rg. 
2b outlines the handshake sequence; 
Rg. 3 illust-ates tiie multiple levels of security pro- 
vided by the system of Rg. 1 ; 
Rg. 4 shows another embodiment of the postal 
transaction terminal of the invention which receives 
a rate card for automatically computing postal 
amounts; 

Rg. 5 Is a flow diagram of tiie operation of tiie ter- 
minal of Rg. 4; 
. Rg..6a shows the use of coded marics for authenti- 
cation of a postmark printed by a postal transaction 
terminal, and Fig. 6b shows one exemplary form of 
authentication coding: 

Rg. 7 illustrates schematically a preferred embodi- 
ment and an optical scale of an automated waybill 
printing terminal using a microprocessor card and a 
special services card in accordance with the Inven- 
tion; 

Rg. 8 is a flow diagram of the operation of the ter- 
minal of Rg. 7; 

Rg. 9 illustrates a standard form of wayt>ill and cur- 
sor prompts for filling In its information fields; 
Rg. 10 illustrates schematically a preferred embod- 
iment of an automated refilling tem^nal using a 
microprocessor card, a master card, and a supen4- 
sor card In accordance with the Invention; 
Rg. 11 is a flow diagram of tiie operation of the ter- 
minal of Rg. 10; and 

Rg. 12 shows the integrated system of microproc- 
essor cards, memory cards, and terminals of tfie 
Invention. 
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DETAILED DESCRIPTION OF INVENTION 

In accordance with the basic principles of the inven- 
tion, an automated transaction system employs a micro- 
processor card in an automated transaction terminal. 5 
Various types of microprocessor cards are available 
commercially, and the technology of manufacturing 
such cards and using them in terminal devices is well 
understood. As an example. Micro Card Technologies 
Inc. of Dallas, Texas, makes the Micro Card Mask M4 io 
card which Is a standard (ISO) size, similar to a credit 
card, having an 8-bit microprocessor, 8 contact pinout, 
9600 bps asynchronous serial exchange protocol, 12.8 
Kbits of Read-only Memory (ROM), 288 bits of Random 
Access Memory (RAM), and 8 Kbits of Erasable/Pro- is 
grammable ROM (EPROM). An array of electrical con- 
tacts provided in one section of the card connects with 
the corresponding contacts in the terminal to allow the 
card microprocessor to communicate data with the ter- 
minal. It is of course understood that other types of data 20 
communicating connections can be used, such as, for 
exarrple, by magnetic induction. 

The conventional microprocessor card as used in 
the present invention operates by executing an inter- 
nally stored program (firmware) which cannot be 25 
accessed from the outside. The firmware may be written 
in randomized form to secure it against tampering from 
the outside. An electrically programmable (EPROM) 
memory portion associated with the microprocessor of 
the card is generally divided into three zones: a secret 30 
zone which can only be accessed internally: a protected 
read/write zone which can only be accessed after a key 
number or^PIN has been confirmed, and a free-reading 
zone. The card is used in a terminal for performing 
desired functions in accordance with the rules, proce- 
dures, and da^stored in or executed by the card and 
the terminal. 

When conventional microprocessor cards are 
issued to irxlividual users, a validation procedure is exe- 
cuted on a validating terminal. The procedure generally 40 
requires the issuer to enter the correct manu^cturers* 
serial number of the card in order to confirm that the 
card is authorized. A PIN is then assigned to or selected 
by the cardholder and stored in the secret zone. Moreo- 
ver, a secret key number unique to the issuer, which 4S 
may be common to a class or chronological series of 
cardholders, may also be stored in the secret zone. In 
sore card systems, the secret key is used as an argu- 
ment of an encryption algorithm to send an encrypted 
word to the terminal for verification. If the word can be so 
decoded by the terminal to derive the secret key, the 
card is presumed to be autiientic. Upon completion of 
the validation procedure, the card MPU inreverslbly 
alters Its program so that no further words can be writ- 
ten in the secret memory zone. Thereafter, upon using 55 
the card, a user must enter the correct PIN in order to 
confirm that the card is being used by its authorized 
user. Conventional microprocessor cards also have the 
feature of temporarily or permanentiy locking the card 



from use if a succession of incorrect PIN entries on a 
terminal is detected. 

At the time of issuance, an amount in monetary or 
other units is validated for the card being Issued. In con- 
ventional cards, the amount is permanently written in 
one of a plurality of transaction sectors in the protected 
memory zone. Each time the card is to be billed" with a 
new amount, one of the sectors is unlocked and written 
with a new amount by the Issuer. Thus, a limited author- 
ized,amount can be written each time, and the card is 
then refilled a number of times before its memory space 
is used up. This is a security feature to minimize mone- 
tary toss in case the card is lost or stolen. The author- 
ized amount is decremented with each transaction and 
a new t>alance is written until the balance is used up. 
Although any anx>unt or t)alance can be written into the 
card*s transaction memory, as a further security feature 
the card may prevent a balance being written which 
exceeds a predetermined limit or a previously written 
balance. 

A card automated transaction system incorporating 
the particular features of the invention will now be 
described. It should be understood that although partic- 
ular embodiments are described, the invention is not 
limited to such emlx)diments, but encompasses all 
modifications and variations which use the principles of 
the invention. For purposes of this description, the 
transaction terminal is selected to be a postage meter- 
ing terminal for printing a postmark on a label, envelope, 
or waybill for articles to be mailed or shipped. However, 
it should be understood that the general principles of the 
invention have broad applicability to any type of transac- 
tion terminal in which a microprocessor card may be 
iised. Fdi- exartiple. the terminer may also be a cash br~ 
article dispensing machine or a printer which prints val- 
idation marks, coupons, receiptsrtickets, inventory doc- 
uments, etc. 

Postage Metering Terminal 

Referring to Rg. 1, a microprocessor card 10, as 
previously described, is adapted to be inserted in a card 
insertion slot 1 1 of an automated terminal device 20. 
The smartcard 10 has a contact section 12 which has a 
number of contacts 13 connected to the pinout leads of 
an IC chip including a microprocessor unit (card MPU) 
60 laminated beneath a protective layer of the card con- 
tact section 12. The contacts 13 are mated with corre- 
sponding contacts 23 of a terminal contact section 22 
upon insertion of the card 10 into tiie slot 11 in tine direc- 
tion indicated by arrow A. As tiie card is inserted, its 
leading edge abuts a p>art of the terminal contact section 
22 which is moved in the same direction, indicated by 
arrow B, so as to merge in operative electrical contact 
with the card contact section 1 2. A trip ^itch 22a is pro- 
vided at the base of slot 1 1 , and triggers a start signal to 
an operations microprocessor (terminal MPU) 30 when 
the card has t^en fully inserted in position in the slot. 
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The card MPU 60 executes an internally stored 
(firmware) program to check whether a requested trans- 
action is authorized arxj, prior to debiting the card 
account balance, to perform a secure handshake recog- 
nition procedure (described further below) with a micro- 5 
processor in the terminal. Although the handshake 
procedure can be performed with an operations micro- 
processor for the terminal, or one remote to the termi- 
nal, it is preferred in the invention that the procedure be 
performed with a secure microprocessor embedded in 10 
the actual value dispensing section of the terminal. The 
value dispensing section Is a separate element In the 
terminal, and its microprocessor is made physically 
secure, such as by embedding it in epoxy, so that any 
attempt to tamper with it would result in rerxlering the is 
value dispensing section inoperative. For the postal 
transaction terminal of the invention, the microproces- 
sor is embedded in the printer unit which prints the post- 
mark. 

The terminal contacts 23 are connected with the 20 
functional parts of the terminal, including a Clock syn- 
chronizing connection 24, a Reset connection 25, an 
operational voltage Vcc connection 26. an Input/Output 
(I/O) port 27. an EPROM-writing voltage Vpp connec- 
tion 28, and a ground connection 29. The terminal MPU 25 
30 controls the interface with the card and the operation 
of the various parts of the terminal, including a keytx>ard 
31, a display 32. such as an LCD, and a postmark 
printer 40, which is the value dispensing section of the 
terminal. A power source Vo is provided by a battery 30 
and/or an external AC or DC line to power the varfous 
parts of the terminal. 

The printer 40 has a microprocessor-unit (printer 
MPU) 41 which individually and uniquely controls the 
operation of a print head 42,-such as an electrothermic 
or inpact print head. The MPU 41 executes an internal 
program (firmware), like the card microprocessor, so 
that it cannot be tampered with from the outside. The 
printer MPU's internal program includes unique encryp- 
tion algorithms parallel to those stored in the card's 
microprocessor, installed by the manufacturer, so that 
the printer MPU can execute a secure handshake rec- 
ognition procedure with the card's microprocessor to 
autiiorize a requested transaction. The MPU 41 is also 
formed integrally with the print head 42. such as by 
embedding in epoxy or tine like, so that it cannot be 
physically accessed without destroying the print head. 
Thus, according to the invention, the print head 42 of 
the postage metering terminal 20 can only be operated 
through the MPU 41, and will print a postmark only 
when the handshake recognition procedure and a post- 
mark print command have been executed between the 
card MPU and the printer MPU 41 . 

When a terminal is to be installed by the issuer in a 
location or distributed to a retail intermediary for field 
use, the issuer may also execute a validation procedure 
for tiie terminal similar to that for the card. A secret key 
number may be written in the secret memory zone of 
the printer MPU 41, so that postage printing transac- 



tions can only be executed with cards provided with the 
corresponding secret key number. Thus, cards vali- 
dated by another Issuer, even though obtained from the 
same manufacturer, will not be usable in tiie first-men- 
tioned issuer's machines. 

The terminal MPU may of course be used for the 
handshake recognition procedure. However, it is prefer- 
able to have the procedure executed by the part which 
is actually dispensing the article of value, and to leave 
the terminal MPU operable for general terminal opera- 
tions. A machine ID numt;>er (MIN) may also be 
assigned to the terminal so that it can be recorded in the 
transaction history maintained on the card. As a further 
feature, the MIN for one or more of the issuer's tern^'- 
nals can be stored in cards which are to be used only in 
those terminals. Thus, in an automated terminal system 
provided for one company, the terminals within the com- 
pany can only be used with the cards issued to the 
employees of that company which have the company's 
secret key number and, optionally, the terminals within a 
department of the company may be configured to 
accept only cards provided with the MINs of that depart- 
ment's machines. 

The interactive operation of the card/terminal sys- 
tem will now be described. Upon inserting a card in slot 
11, the trip switch 22a is triggered, and the terminal 
MPU 30 initiates an Identification request procedure to 
confimn that tiie card is being used by an autiiorized 
user. For example, the terminal MPU may cause a 
prompt to appear on the display 32 requesting that tiie 
user enter a PIN. The number entered by the user is 
sent by the terminal MPU to the card MPU where it is 
checked against the PIN number(s) stored in the secret 
zone of the card's memory. H the number matches, tiie 
card. MP.U__notifiesjh^eJ^minaL MPU 30 to proceed Jf 
the card is restricted for use only in particular machines] 
the card may request the terminal's MIN and check it 
against a stored list of authorized terminal numbers. If 
tiie terminal is restricted for use only with certain cards, 
tiie terminal may check the PIN or a card identification 
or account number against a stored list of authorized 
card numbers. As another security feature, the card pro- 
gram may check tiie number of incorrect PIN entries 
attempted or a card expiration date written In memory at 
tiie time of issuance. If the incorrect PIN entries 
exceeds a predetermined number, or if the current date 
indicated from the terminal MPU 30 is past tiie expira- 
tion date, the card MPU 60 can lock the card against fur- 
tiier use until the user has had it revalidated by the 
issuer. 

If the initial confirmation procedures are passed, 
the terminal MPU 30 next prompts ttie user to enter 
information for a postage transaction. The user inputs 
on keypad 31 tiie amount of postage requested and, as 
a further option, the zip code of the sender's location 
and the date. As the information is supplied in 
sequence, i.e. "AnrK)unt". "Zip", and "Date", it is dis- 
played on display 32 for oonfimnation. Alternatively, the 
date may be maintained by the terminal MPU 30. and 
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displayed for user confirmation. When all the correct 
information has been entered, an edge of an envelope 
51 to be mailed, or a label or mailing form to be attached 
to an item to be mailed, is inserted in a slot 50 on one 
side of the postage metering terminal 20. The move- 
ment of the label or envelope may be controlled to bring 
it in registration with the print head, as provided in con- 
ventional metering machines. The user then presses 
the "Print" key to initiate a postage printing transaction. 

Handshake Recognition Procedure 

A basic principle of the invention is that the actual 
execution of a value-exchanging transaction is securely 
controlled by a mutual handshake recognition proce- 
dure between a secure mk:roprocessor maintaining the 
card account balance and a secure microprocessor 
controlling the value dispensing operation. The card's 
MPU must recognize the value dispersing section's 
microprocessor as valid, and vice versa, in order to exe- 
cute a transaction. The card and the value dispensing 
section therefore can each remain autonomous and 
protected against counterfeiting or fraudulent use even 
if the security of the other has been breached. Since 
they are autononnous, the cards and terminals can be 
distributed widely with a low risk of breach of the system 
and without the need for strict access controls. It thus 
has significant cost and security advantages over con- 
ventional card automated transaction systems. 

A two-way encrypted handshake embocfiment will 
now be described. However, it should be understood 
that the invention is intended to enconpass any mutual 
handshake procedure by whic^ the card and dispensing 
microprocessors can recognize Yhe ^fiier as authorizecJ 
to execute a requested transaction. In the preferred 
postage terminal embodiment; the~hahdshake~proce- ' 
dure is executed between tiie card MPU 60 and the 
printer MPU 41. As illustrated schematically in Rg. 2a, 
when the "Print" key signal is received by the terminal 
MPU 30, the latter opens a channel 61 of communica- 
tion between the card MPU 60 and the printer MPU 41 . 
A "commence" signal and the amount of the requested 
transaction, i.e. postage, is then sent from the terminal 
MPU 30 to tiie card MPU 60, and a similar "commence" 
signal to the printer MPU 41 , in order to prepare the way 
for the handshake procedure. 

Referring to Rg. 2b, the card MPU 60 initiates the 
handshake procedure upon receipt of the "commence" 
signal by first verifying if tiie requested amount is avail- 
able for tiie transaction. As an advantageous feature of 
the invention, the card MPU 60 checks the available bal- 
ance of the card and (if implemented in the card's pro- 
gram) whether the requested transaction is within any 
limits specified by the card issuer. For example, use of 
the card can be limited to a maximum postage amount 
and/or class of postage for each transaction or a cumu- 
lative total of transactions. Upon verifying that the 
requested transaction is authorized, the card MPU 60 
encrypts an object number N, which may be a randomly 



generated number, with a key number k1 (which may be 
the user's PIN) stored in the secret zone of Its memory 
by a first encryption algorithm El and sends the result- 
ant word W1 through the handshake channel 61 of ter- 

5 minal MPU 30 to the printer MPU 41 . 

Upon receipt of the word W1, tiie printer MPU 41 
decodes the number using the same number k1 by the 
Inverse algorithm EV. The number k1 may be a secret 
key number stored In the printer MPU's memory at the 

10 time of validation, or in an open system, it may be the 
PIN entered by the user on the terminal, or a combina- 
tion of both. The printer MPU 41 then encrypts the 
decoded number with the number k1 by a second 
encryption algorithm E2 to send a second word W2 

15 back to the card MPU 60. 

Upon receipt of the word W2, the card MPU 60 
decodes the number again using the key number k1 by 
the Inverse of the second algorithm E2*. and compares 
the decoded number with the number it used in the first 

20 transmission. If the numbers match, the handshake pro- 
cedure has been successfully conpieted, and the card 
and printer MPUs have recognized each other as 
authorized to execute the requested transaction. The 
card MPU then debits the postage anrwunt from the card 

25 balance, and then sends a print comnnand and the post- 
age amount to the prirrter MPU. The printer MPU prints 
the postage on envelope 51 . in cooperation with the ter- 
minal MPU 30 whic controls the movement of the enve- 
lope under tiie prirrt head. The printer MPU then sends 

30 an "end" signal to the terminal MPU 30, which accord- 
ingly switches off the handshake channel 61 and resets 
itself to receive the next transaction request. 

In the preferred embodiment, the card MPU 60 

~ stores only the amount of the transaction in its transac- 

35 tion record, and does not store the new balance. 
Instead, the balance is recomputed from the original 
authorized amourit and the stored history of transaction 
debits at tiie time a transaction is requested. This proce- 
dure substitutes the MPU's computing power to save a 

40 significant amount of card EPROM memory space. 

The card automated transaction system of the 
invention is provided with high security at a plurality of 
levels, which is particularly advantageous for off-line 
transactions involving large numbers of issued cards 

45 and widely distributed terminal devices. As depicted in 
Rg. 3, the encryption algoritiims are provided at the first 
security level I by the manufeicturer, the secret key, PIN, 
and/or MIN are provided at security level II by the issuer, 
the PIN is used at security level 111 by a particular user, 

so and the MIN and/or secret key may be used at security 
level IV to operate a particular machine(s). 

At level I. the print head of the terminal is only oper- 
able to dispense value, i.e. print postage, if the encryp- 
tion algorithms provkied by the manufacturer match 

55 those of the card, thereby protecting against counterfeit 
cards and terminals. Even if the security of the manu- 
facturer has been penetrated, and the encryption algo- 
rithms have been obtained by a counterfeiter, the secret 
key may be assigned at level II by the issuer and used in 
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the handshake procedure/ thereby deterring the use of 
counterfeit cards and terminals which do not have the 
secret key. At security level 111. a card can only be used 
to operate a terminal if the correct PIN is known, and if 
initial confirmation procedures are passed. At security 5 
level IV, a card can only be used in a particular terminal 
identified by the correct MIN. 

A related embodiment of the invention is illustrated 
in Fig. 4 which employs a second card having postal 
rate data stored in memory to compute the correct post- 10 
age automatically. A terminal 20. similar to the one pre- 
viously described, includes a second slot 91 for a "rate" 
card 90. The terminal has a slot 50 in which a postal 
label or envelope 51 is inserted for imprinting by the 
printer 40. For a parcel 52, the label 51 is printed then is 
affixed to the parcel ibr mailing. A scale 53 may be con- 
nected to the ternunal and MPU 30 to provide the weight 
of the envelope or parcel 52. 

The rate card has a memory device 92, preferably 
an IC ROM, which is accessed and read by the terminal 20 
MPU 30 through contact F>ortion 93 mated in contact 
with the pinout terminals of the memory device. 
Switches 22a and 92a provide signals when the user 
and rate cards have been inserted in the respective 
slots. Insertion of the user card initiates operation of the 25 
terminal. If a rate card is not inserted, the terminal MPU 
30 can Instead request the appropriate postal amount 
from the user by a prompt on the display 32. The termi- 
nal MPU may also have a mode for reading postal rates 
from the rate card. 30 

The program operation of the postage metering ter- 
minal 20 is illustrated in block diagram form in Fig. 5. 
Upon insertion of the user card 10 In- slot 11, the-user 
confirmation procedures previously described are car- 
ried -out:between.tiie -terminal MPU 30 and card .MPU .35 
60. If an unauthorized card or user is detected, the card 
is locked and the terminal operations are terminated. If 
a valid user card is confirmed, the terminal program 
then checks if a rate card 90 is inserted and whether it 
is valid. Validity can be determined by tiie issue number 40 
of the card or by an Indicated expiration date. If there is 
no rate card, the terminal MPU requests the user to 
input the desired postage and goes to the print key deci- 
sion block 97. If a valid rate card is present, the terminal 
program requests the codes for the source and destine- 45 
tion of the item and the dass of mail desired. The pro- 
gram then checks for a signal from the scale 53 
indicating the weight of the item. If no scale is con- 
nected or weig^ indicated, the program requests the 
user to input the information. so 

The rate card memory contains a current listing of 
the rates for a particular earner divided according to 
zone classifications, weight, and/or type of mail. For the 
U.S. Postal Service, the postage amount is calculated 
based upon the origin and destination zip codes, class ss 
of mail, arvl weight by looking up tables stored In the 
rate card memory 92. If the "Print Key" is depressed, the 
terminal program then sends tiie "commence" signal to 
the card MPU and printer MPU to execute the hand- 



shake procedure and debiting and printing operations 
as previously described. If an "Auto" mode key of the 
terminal has been pressed or the user elects to con- 
tinue in response to a prompt, the terminal program 
returns to the beginning of the transaction loop indi- 
cated at tjlock 94. The "Auto" mode may be used in con- 
junction with an automatic feeder for postmarking a 
series of envelopes or labels. The terminal operation is 
terminated if the transaction loop is not continued, or if 
the handshake procedure is not completed. 

Postmark Authentication 

In accordance with the principles of the invention as 
applied to postage metering terminals, a postnr^rk 
authenticating procedure will now be described. The 
procedure is provided as a security feature to deter the 
printing of a counterfeit postmark by a printer, copier, o 
other facsimile device which is not autiiorized k>y tiie 
issuer of the aljove-described card/terminal system. 
Conventional high resolution printers and graphics 
capabilities of personal computers present an increas- 
ing risk that value-confirming marks, sudi as a post- 
mark, ticket, coupon, etc. can be simulated by a 
counterfeiter. In the invention, an underlying and/or 
invisible machine readable code is printed first and then 
overprinted with the human readable postmark. The 
code can be uniquely selected by the issuer of the post- 
age card/terminal system, and periodically changed to 
eliminate any benefit from gaining unauthorized access 
to the code. Further, the code can be printed with ink 
that is invisible in the normal light spectrum, so that it is 
readable only witii a magnetic, infrared, or ultraviolet 
reader. 

.Referring to an example shown in Figs. 6a and 6b. 
a conventional imprinted postmark has a logo or graphic 
design 70. text 71 indicating that tiie postage is issued 
tiirough the U.S. Postal Service, numbers 72 indicating 
tiie postage amount, as well as the date 73, city 74. 
state 75, and zip code 76 of origin, arxi the identification 
number 77 of tiie postage meter from which the post- 
mark was printed. In tiie invention, coded marks 78 are 
printed beneath the visible postmark in a predetermined 
code field 79 in invisible, machine readable ink. The 
algorithm for the coded marks is selected by tiie issuer, 
for example, representing the binary equivalent of the 
postage amount, i.e. "90" cents in Fig. 6a, shown in 
binary form in Rg. 6b. The coded marks can represent 
any otiier element of the postmark, such as the meter 
identification nun^er or zip code. Alternatively, a bar 
code 83 can be printed with a postmark information sec- 
tion 83a and a check code section 83b, which is 
encrypted based upon one of the postmark elements. 
The postmark element and/or the encryption algorithm 
can be uniquely selected by the issuer. Even if the 
coded marks are printed in visible form, the encryption 
of a variable postmark element such as the sender's zp 
code. date, or postage amount, will make copying diffi- 
cult. 
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The printing of the postmark and authentication 
code can readily be incorporated in the card/terminal 
system illustrated in Fig. 1. The printer 42 is provided 
with a memory 43 to which data representing ttie visible 
information of the postmark and the computed binary or 
other selected check code or converted bar bode is 
transmrtled from the terminal MPU 30 and stored. The 
fixed graphics of the postmark nnay be stored in a merrv 
ory assocated with the MPU 30. which is preferable if 
the same terminal has the capability of printing a variety 
of postmark graphics for different carriers and/or 
classes of service, or it may be permanently stored in a 
section of the printer memory 43. The fixed graphics 
may instead be stored in the card's memory and loaded 
by terminal MPU 30 in the printer memory 43 for a 
requested transaction. Alternatively, the fixed graphics 
may be provided on a platen which operates with the 
print head if only one type of postmark is to be printed. 

In tiie preferred form, the print head 42 is an inpact 
printer which has two ink ribbons 42a and 42b, one of 
invisible, nrachine readable ink and the other of visible 
ink. When the handshake procedure has been com- 
pleted, and the print command issued by the card MPU 
60, the printer MPU 41 accesses the data stored in the 
memory 43 and, in a first pass, prints the coded marks 
in invisible ink then, in a secomj pass, prints the visible 
postmark information. 

As indicated in fig. 6a, when mail or other articles 
are subsequently presented to a central mail routing 
and distribution system, such as that of the U.S. Postal 
Service or a private carrier, the postmark may be 
passed under a detector 80 which has a visible light 
spectrum reader 81 and a code reader 82, such as a 
magnetic, infrared," or ultraviolet reader, or" a bar code 
reader 83 for^bar code marks. If the code marks are 
absent of if the check code does not correspond to the 
element of the postmark selected for coding, an audit 
record can be made of the non-conformity, for example, 
by recording the meter identification nunr^er. date, and 
zip code of origin. An investigation of the source of the 
unauthorized postage can then be initiated if numerous 
articles are found bearing unauthorized postmarks. The 
postmark authentication marks of the invention thus 
provide an additional level of security against counter- 
feiting which is not offered in conventional postal meter- 
ing machines. 

Postal Waybill Terminal 

A further embodiment of the invention is illustrated 
in Fig. 7 which is adapted for printing standard form 
waybills for mailing articles using a wide range of postal 
or private carrier services. A terminal 20* Includes a slot 
11 for a user card 10. a terminal MPU 30. a printer 40 
and printer MPU 41, a keyboard 31*. and a display 32*. 
as previously described with respect to Fig. 1 . The ter- 
minal also includes a second slot 91 for a "rate" card 90 
and a third slot 101 for a "special services" card 100. 
The terminal has a slot 50 in which a standard waybill 



form 5V is inserted for imprinting by the printer 40. The 
waybill 51* Is then affixed to an envelope or parcel 52 for 
mailing. A scale 53 can be connected to the terminal 
and MPU 30 to automatically provide the weight of tiie 

5 parcel 52. 

The rate and special services card have memory 
devices 92 and 102, respectively, which are preferably 
IC ROMs that are accessed and read by the terminal 
MPU 30 through contact portions 93 and 103, respec- 

10 tively, mated In contact with the pinout terminals of the 
memory devices. Switches 22a, 92a, and 102a provide 
detection signals when the cards have been inserted in 
the respective slots. A display 32* provides a full field 
corresponding to the appearance of the waybill form. 

IS and the keyboard 31 ' includes a full set of alphanumeric 
characters and command keys. 

The rate card memory contains a current listing of 
the rates for a particular carrier. For example, if the car- 
rier is the U.S. Postal Services, the Post Office rates are 

20 listed according to zone classifications, weight, and 
dass of mail. The special services card memory con- 
tains a program for filling out a standard waybill form in 
accordance with the inforn^tion required by and with 
indicia identifying the mailing services of a particular 

25 carrier. For example, if the carrier is the U.S. Postal 
Service, tiie special services card can provide the pro- 
grams for printing waybills for Express Mail, Certified 
Mail. Registered Mail, Insured Mail, etc. 

The program operation of the postal waybill termi- 

30 nal 20' is illustrated in block diagram form In Fig. 8. and 
a sample waybill form is shown in Fig. 9. Upon insertion 
of tiie user card 1 0 in slot 11 . the user confirmation pro- 
cedures previously described are canried out between 
tiie terminal MPU 30 and card MPU 60. If an uriauthor- 

35 ized card or user is detected, the card is locked arrd the 
terminal operations are terminafedr- With a valid user 
card, the terminal program then checks if a rate card 90 
and/or a special services card 100 is inserted and 
whether each is valid. Validity can be determined by the 

40 issue number of the card or by an Indicated expiration 
date. If there is no rate card or special services card, the 
terminal MPU requests the user to input the desired 
postage and goes to the print key decision tDlock 121. 
The terminal is then used to print a postmark or postage 

45 label as described previously. If a valid services card is 
present, the terminal program displays a menu of mail- 
ing or carrier services from the services card and 
requests the user to select a service. 

The terminal MPU 30 loads the selected service 

50 program from the service card and executes it. as indi- 
cated at block 1 1 8. For typical carrier services, the serv- 
ice program displays a standard carrier waybill form 
used by the selected carrier. For example, if the U.S. 
Postal Service Express Mail service is selected, the 

55 form shown in Fig. 9 is displayed. The form includes a 
carrier identification field 130. service class field 131, 
and pointers on the display for inserting information in 
fields 132-137 and 140-146. A waybill identification 
number in bar code 138 and characters 139 is selected 
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for the transaction and displayed. Preferably, the serv- 
ices caid has a list of reserved waybill numbers which 
are sequentially incremented for each completed trans- 
action. If a transaction is not completed, the number Is 
saved for the next transaction. As described previously, s 
the bar code can indude a section which is an encryp- 
tion of one element of the waybill information, so that the 
authenticity of the form can be verified by machine 
processing of the waybill. 

The services program as executed by the terminal 
MPU 30 next uses cursor prompts to request the user to 
provide information for certain fields, such as the zip 
codes or origin and destination 132 and 133, and the 
addresses of the sender and redpient 140 and 141. As 
the user supplies each item of information and presses 
an "Enter" key. the program causes the cursor to shift to 
the next field of information to be supplied, as indicated 
by the arrows C in Fig. 9. The date and time fields 134 
and 135 may be requested from the user or supplied 
from the terminal if it is provided with a clock and calen- 
dar. The weight 136 may be provided from the output of 
the scale 53, if connected to the terminal, or supplied by 
the user. The meter identification number (MIN) is sup- 
plied by the terminal for field 137. 

Based upon the origin and destination zip codes 
and weight, the postal amount, other service charges, 
and total maount 144-146 are calculated and displayed 
under program control using the rate card if appropriate. 
The total transaction amount is saved. If the "Print" key 
is depressed, the terminal program then sends the 
"commence" signal to the card MPU and printer MPU to 
execute the handshake procedure and debiting and 
printing operations as previously described. If an "Auto"- 
mode key of the terminal is depressed or the user elects 
to continue in response to.a prompt, the. terminal pro? 
gram returns to the beginning of the transaction loop 
indicated at block 113. The terminal operation is termi- 
nated if the transaction loop is not continued, or if the 
handshake procedure is not completed. 

The terminal can be used to program and print the 
waybills of other selected carriers or services by Inser- 
tion of the proper user, rate and/or service cards. For 
convenience of the automated terminal system, it is 
desirable if all postal and waybill forms can be standard- 
ized to one or a limited numt>er of form blanks. 

Refilling Terminal 

Another embKxJiment of the invention is the provi- 
sion of a user card refilling terminal which m^ be main- 
tained at any desired postal retail or distribution location 
for the convenience of the issuer of the cards and users. 
A new amount can be lilled", i.e. credited to an author- 
ized balance maintained in the user card, and a master 
refilling card having a greater amount for distribution is 
correspondingly debited. In accordance with the princi- 
ples of the invention, the secure handshake recognition 
procedure is executed before the transaction is author- 



ized. The refilling terminal can also be used to validate 
new cards to be issued. 

An exemplary embodiment of the refilling terminal 
is shown in Fig. 10, having a first slot 161 for a master 
refilling card 160, a second slot 171 for a supervisor 
card 170. a third slot 174 for a user card 10, a terminal 
microprocessor 30" a keyboard 31", and a display 32". 
Each card is of the type described previously, with 
secure microprocessors (MPU) 162, 172, and 60. 
respectively, in contact with respective terminal contacts 
163, 173, and 175. Switches 162a. 172a, and 176 pro- 
vide detection signals when the cards are inserted in 
their respective slots. The operation of terminal MPU 
30" is enabled after insertion of a master card 160 and 
a supervisor card 1 70. 

A master refilling card is initially purchased from a 
central issuer, such as the U.S. Postal Service, an 
authorized distributor for the central issuer, or a private 
carrier company. It is generally intended to be pur- 
chased by a local refilling entity which provides service 
to individual users, such as a bank branch, retail store, 
or corporate department. In the preferred embodiment, 
it is manufactured in a fixed denomination and remains 
locked until it is activated by a supervisor card of the 
central issuer. The encryption algorithms used for tiie 
handshake procedure are already written into its MPU 
firmware, and is enabled to execute the handshake pro- 
cedure when the secret key number is installed by a 
supervisor card during the activation procedure. Once 
activated, the master card balance is debited for refilling 
transactions until it is used up. A history of all debiting 
transactions is maintained in the master card. 
- ^. _A-supervisor card is provided by the central issuer 
iiri the custody of an oifficer or manager of the local refill- 
.ing entjly^a^nd iLSu is assigned. JTie ajper- 

visor card is used to unlock all master carcte s6\d to the 
refilling entity and to maintain a record of the serial num- 
bers of the master cards for subsequent card confirma- 
tion procedures, it is used to authorize crediting 
transactions to user cards, and maintains a transaction 
record of all refilling operations and the identity of the 
redpient user cards. The supervisor card is manufac- 
tured witfi the handshake encryption algorithms in 
firmware, and may be provided by the central issuer 
with a secret key number to be installed in the master 
and user cards. The master and supervisor cards 
together allow user cards to be conveniently refilled at 
widely distnlxJted local entities without the need for on- 
line confirmation of each refilling transaction from the 
central issuer. Alternativety. the user cairl can be refilled 
by the master card alone, with the handshake proce- 
dure executed between the user card's MPU and te 
master card's MPU. However, the use of a controlling 
supervisor card is preferred as an additional level o 
security to deter counterfeiting or fraudulent use of the 
higher value master cards. 

The operation of the refilling terminal will now t>e 
described for the preferred three-ceud emtxxliment witii 
reference to the block diagram of Fig. 1 1 . Upon initiation 



IS 



20 



25 



30 



35.. 



40 



45 



SO 



10 



19 



EP0 740 275 A2 



20 



of the terminal program, the master card is checked at 
block 180 to determine if it Is already activated. If not, 
the terminal follows an activation procedure at block 181 
of confirming the supervisor PIN. checking the master 
card serial number, installing a secret key numt>er in the 
master card, executing the handshake procedure, then 
unlocking the master card's balance, and recording the 
master card's serial number, balance, date, and other 
transaction information. 

If the master card has already been activated, the 
supervisor card checks the master card serial number 
against its record of authorized master cards. If the 
master card is unauthorized, the terminal program goes 
to an end procedure at block 197. With an authorized 
master card, the terminal program checks if the user 
card inserted in the terminal is new or to be refilled. For 
a new user card, the refilling terminal executes at blocks 
190-193 a validation procedure which includes check-, 
ing the designated card serial numt>er with the number 
embedded in its memory, recording the user's identifica- 
tion information, and assigning a user PIN. At block 192, 
the terminal prompts the operator for any limitations on 
the amounts or type of transactions the card can be 
used for. the identification numbers of the terminals to 
which the card is restricted, or an expiration date rf 
required by the issuer. The validation procedure is com- 
pleted by installing the secret key number and sealing 
the secret memory zone. 

If the user card is to be refilled, the user PIN is con- 
firmed, and then the card is checked for any balance to 
be credited toward the new amount or to the user's 
account. The old memory section is then locked from 
further transactions, and can only be used for r^ead^^ 
out a transaction history. Upon a -request for a new 
amount, either for a new card thatiias beenyalidated or 
for a card to be refilled. the terminal MPU 30"1c>peiTs a 
handshake channel, and the handshake procedure pre- 
viously described is executed t>etween the master MPU 
162 and the supervisor fVIPU 172. When the handshake 
procedure is completed, the master t^lance is debited 
and the supervisor card proceeds to open a new trans- 
action memory section in the user card into which the 
new balance is written. The program then provides at 
block 197 an end selection of further operations which 
may be carried out on the refilling terminal. For exam- 
ple, another refilling transaction may be processed, the 
supervisor card record may be updated, the newly vali- 
dated user or master card may be embossed with a 
serial number or account number if the terminal is con- 
nected to an embossing machine, or operations may be 
terminated. 

The described refilling system is protected at sev- 
eral levels of security. First, a supervisor card is 
required, and the user card must be validated by the 
user PIN. The master card must be validated by the 
supervisor card and must execute the handshake pro- 
cedure before the user card is credited with a new 
amount The card/terminal system has the primary 
advantage that the debiting of the card balance is exe- 



cuted in the same time frame that the value dispensing 
operation is carried out, and the exchange can only be 
canried out for each transaction if the mutual handshake 
recognition procedure Is executed between the secure 

5 microprocessors controlling each part. Also, the central 
issuer purchases the card/terminal system from the 
manufacturer vyrith a given set of encryption algorithms, 
and then selects a unique secret key not known to the 
manutecturer. Thus, penetration of the manu^cturer's 

10 security will not compromise the security of the issuer's 
system. By issuing cards with defined expiration dates 
or series numbers and changing the secret keys period- 
ically, an issuer system can be made even more impen- 
etratsle to counterfeiters. 

IS The user's card is not merely a passive record of an 
account number and balance, but rather operates to 
affirmatively protect against unauthorized use of the 
card, for example, if a succession of incorrect PIN 
entries is made, if the card is used beyond its expiration 

20 date or in an unauthorized machine, or If a requested 
transaction is in excess of predetermined limits. Simi- 
lariy, the value dispensing part of the terminal is pro- 
tected against tampering by the physical bonding of the 
printer microprocessor to the print head. 

25 Moreover, since the postal and refilling transactions 
are executed with cards issued by a central issuer take 
place only within the issuer's system, they are protected 
from counterfeit cards or cards issued by another sys- 
tem. One issuer's system thus remains closed to all 

30 other issuers systems, and several systems can use the 
same terminals without interference from the other. For 
example, the U.S. Postal Service and several private 
carriers can each constitute a separate issuer system 
issuing its own cards. A user can purchase a card from 

35 each system and use the proper card in any terminal 
maintaini^ at a local entity (branch post officer bank 
branch, local retail store) to generate authorized post- 
age or a waybill for use in the corresponding system. 
Thus, users will have the benefit of secure and conven- 

40 lent access to a wide range of postal and canier serv- 
ices. 

In the invention, the microprocessor cards (user, 
master, and supervisor), memory cards (rate and spe- 
cial services), and terminals (metering, waybill printing, 

45 and refilling) comprise an integrated postal transaction 
system which provides a greatly improved level of 
access, convenience, and security, compared to con- 
ventional postal machines. The overall system is illus- 
trated in Fig. 12. It allows widely issued user cards to be 

50 used in widely distributed postage metering and waybill 
printing terminals, with the appropriate rate and/or serv- 
ices cards, to access a plurality of postal and carrier 
services. The refilling terminals allows a central issuer 
to distribute postal monetary value to users at widely 

55 distributed locations. Strict physical access controls are 
not required, the need to limit the postal amounts and 
services obtainable by issued cards is reduced, in-per- 
son purchase transactions are avoided, and on-line 
confirmation by a central account office is obviated. The 
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cards and terminals are cvonfigured to be autonomous, 
yet mutual recognition and confirmation of validity and 
transaction amounts are required, thereby providing a 
high level of security for the system. 

Further, the invention is not limited to the described s 
automated postal terminals. The principles of the inven- 
tion can be adapted to any other value exchanging 
transaction where it is desired to use an account card in 
an off-line automated terminal system. Thus, the 
described smartcards and value dispensing terminals 10 
can also be used for dispensing cash, printing tickets, 
issuing coupons, etc.. and the user can possess a vari- 
ety of cards each issued by a central issuer for the con- 
venient purchase of different articles of value. Also, by 
implementing smartcard and terminal MPU programs is 
which check for authorized machine identification num- 
bers and card serial numbers, or execute the hand- 
shake procedure with different algorithms and/or secret 
keys, an issuer's system can be configured so that the 
issuer's cards and terminals may be made open or 20 
restricted to certain families, series or locations.. 

The invention also encompasses other features 
which are useful adjuncts to the central concepts 
described above. For example, a transaction history 
printer may be provided from which a user can print a 2S 
record of transactions stored in the smartcard upon 
entry of the correct PIN. The various cards can be pro- 
vided with notches on a border or coded key elements 
to prevent insertion of the wrong card in an incorrect ter- 
minal slot or in a terminal of another issuer system. 30 
Also, the invention can be adapted for on-line transac- 
tion systems. For example, the terminal MPU can be 
; connected byiatelephqne network toa cen- 

tral processing office for approval of a transaction prior 
to -execution of the- transaction. On-line^confirmation 3S 
may be desired for initialization and refilling transactions 
which are less frequent and of higher value than pur- 
chase transactions. As another security feature, the 
card or series of cards may be issued with encryption 
algorithms and/or secret key numbers which are 40 
changed periodically, and the encryption algorithms and 
secret keys corresponding to cards presented for a 
transaction can be loaded in the terminal at the time the 
terminal MPU establishes an on-line connection to the 
central office. 45 

Based upon the foregoing disclosure, many other 
peripheral features and modifications and variations on 
the principles of the invention will become apparent to 
persons familiar with automated terminals and smart- 
card systems. It is intended that the embodiments arxl so 
features described herein and all further features, mod- 
ifications, and variations be included within the allowed 
scope of the invention, as it is defined in the appended 
claims. 

55 

Claims 

1. A printer (40) for use with a transaction terminal 
(20) which has an input section (31) for inputting a 



request for printing a value indicia and an operating 
section (30) for enabling the terminal to execute the 
printing of the requested value indicia on an article, 
characterized in that: 

the printer (40) is formed as a separate section 
to the terminal and has a printhead with a ded- 
icated microprocessor (41) therein for control- 
ling the printhead: 

a first ink supply is provkJed to supply a visible 
human -readable ink to the printhead: 
a second ink supply is provided to supply an 
invisible, machine-readable ink to the print- 
head: 

the terminal (20) has connecting lines for con- 
necting the printhead microprocessor (41) to 
the operating section (30) of the terminal, and 
the operating section includes a stored pro- 
gram for receiving the value indicia request 
input to the terminal and sending a print 
instruction to the printhead; and 
the prirrthead microprocessor (41) includes a 
stored program for receiving the print instruc- 
tion from the terminal operating section (30), 
printing the requested value indida (75) with 
visible ink from the first ink supply on an article, 
generating an autiientication code (79) which 
uniquely corresponds to the requested value 
indicia, and printing the authentication code 
with invisible ink from the second ink supply on 
the article, whereby the printed visible value 
indicia can be subsequently verified as authen- 
. tic by machine reading off the invisible authenti- 
cation code and comparing it to the visible 
- - value indicia . . 

2. A printer for a transaction terminal according to 
Claim 1, wherein the printhead microprocessor (41) 
is physically permanentiy bonded in the printhead 
such that it cannot be physically tampered with 
without disabling the printhead. 

3. A printer for a transaction terminal according to 
Claim 1. wherein tiie printhead, printhead micro- 
processor (41), first ink supply, and second ink sup- 
ply are physically incorporated together in a 
modular unit which is removably mounted in the ter- 
minal. 

4. A printer for a transaction terminal according to 
Claim 1 . wherein the printhead microprocessor (41 ) 
includes a stored security program incorporated 
therein for executing a security procedure through 
tfie terminal operating section to validate whether 
an irput value indicia request is a valid request and 
to eriable the printhead to print the value indicia on 
the article only if the request has been validated. 
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A modular printer according to any one of the pre- 
ceding claims wherein the visible indicia to be 
printed is a postmark including a postage amount, 
and the printhead microprocessor executes the 
stored program to generate an authentication code 5 
uniquely corresponding to the postage amount to 
be printed. 

A modular printer according to any one of the pre- 
ceding claims wherein the visible indicia to be 10 
printed is a postmark including a postage amount, 
and the printhead microprocessor executes the 
stored program to encrypt the postage amount as a 
bar code, and to prim the bar code as the invisible 
authentication code with the postmark. is 
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